Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.
'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process.
This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
AnalysisAI
Cross-session PubSub topic injection in phoenix_storybook (versions 0.4.0 through before 1.1.0) allows a remote unauthenticated attacker to redirect a victim's playground control messages to an attacker-controlled LiveView iframe process. The vulnerability exists because ComponentIframeLive reads the PubSub coordination topic verbatim from a URL query parameter with no session-binding validation, enabling an attacker who loads a crafted iframe URL to hijack variation state changes, theme switches, and extra-assign payloads intended for a victim's active playground session. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 score of 2.3 reflects genuinely low severity given the prerequisites required.
Technical ContextAI
phoenix_storybook is an Elixir Hex package that builds interactive component documentation playgrounds on top of Phoenix LiveView and Phoenix PubSub. The playground architecture uses a shared PhoenixStorybook.PubSub bus to coordinate between a parent StoryLive LiveView and an embedded ComponentIframeLive iframe: the iframe announces its process PID on a session-specific topic so the playground can direct control messages via Elixir send/2. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key) - handle_params/3 in component_iframe_live.ex consumed params["topic"] directly from the URL without verifying that the topic was generated by, or belongs to, the requesting session. The fix confirmed in commit 6ee03f1c replaces the raw topic query parameter with a cryptographically signed Phoenix.Token (salt: "phoenix_storybook:playground_topic", max_age: 86,400 seconds), ensuring only a server-generated token can authorize a topic binding. The parameter was renamed from "topic" to "playground_token" to make the change explicit at the protocol level.
RemediationAI
Upgrade phoenix_storybook to version 1.1.0 or later by updating mix.exs to specify {:phoenix_storybook, ">= 1.1.0"} and running mix deps.update phoenix_storybook. The fix is confirmed in commit 6ee03f1c at https://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5, which introduces signed token verification for the playground topic parameter. If an immediate upgrade is not feasible and the storybook instance is not restricted to trusted users, restrict network access to the /storybook route at the reverse proxy level (e.g., nginx allow/deny directives or WAF IP allowlisting) - this eliminates the network-accessible attack vector without code changes, though it prevents any external access to the storybook interface. Note that exposing phoenix_storybook publicly is generally inadvisable regardless of this CVE. Full advisory details are at https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31111
GHSA-mrhx-6pw9-q5fh